## GitHub Security Fix: Critical Handlebars Injection CVE & 25 Production Vulnerabilities Eliminated
A critical security remediation has been executed, eliminating 25 production dependency vulnerabilities—including a critical Handlebars.js injection CVE—and securing the build pipeline. The fix directly removed the `auto-changelog` devDependency, which was the source of the critical CVE and four related high-severity issues. To maintain functionality without external risk, the changelog script was replaced with a secure, dependency-free `git log` one-liner.

The cleanup required a strategic, deep-layer intervention via `pnpm.overrides` in the `package.json` to force patched versions of vulnerable transitive dependencies across multiple critical paths. This locked down risks including an Arbitrary File Write in `rollup` (via the vitest>vite path), Prototype Pollution in `flatted` (via eslint>flat-cache), and multiple ReDoS vulnerabilities in `minimatch` and `picomatch` dependencies used by eslint, glob, @sentry/node, and eslint-config-next. A ReDoS risk in `@commitlint/config-validator>ajv` was also patched.

With these overrides in place, the production build is now confirmed green. The `pnpm build` command succeeds using Next.js 16.1.7 with Turbopack, generating 43 routes with clean TypeScript. This action resolves the second major release blocker outlined in the project's `PRODUCTION_READINESS_ASSESSMENT.md`, marking a significant step toward a secure and stable deployment.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, software_development, vulnerability_management, devops, npm_security
- **Credibility**: unverified
- **Published**: 2026-03-30 15:27:36
- **ID**: 41495
- **URL**: https://whisperx.ai/en/intel/41495